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IMPROVED ACCESS CONTROL LISTING MECHANISM 

FOR ROUTERS 

Field of the invention 

[01] The invention relates to router interfaces in telecommunication systems, 
and more particularly to access control lists associated with such interfaces. 

Background of the invention 

[02] Internet routers in communication systems receive internet protocol (IP) 
packets at interfaces on line cards. A router contains numerous line cards, each 
of which can have a number of interfaces. Typically, each interface has an 
associated access control list (ACL) stored on the line card within a Ternary 
Content Addressable Memory (TCAM). An ACL is a set of rules to be applied 
to IP packets in order to filter unwanted packets, or perform other actions on 
packets such as counting or copying. Each rule is composed of a key and an 
action. When an IP packet arrives through an interface, the router extracts 
specific fields from the packet to form a key and searches the ACL associated 
with the interface for a rule having a matching key. If a rule is found, the filter 
applies the action associated with the rule to the packet. 

[03] Interfaces may have identical sets of rules. Some routers take advantage 
of this to simplify configuration and troubleshooting, and to improve 
robustness. Sets of rule are copied between ACLs. However, once loaded into 
the TCAM, each rule of each ACL of each interface is stored and accessed 
separately. There is therefore no saving of TCAM storage space. Other routers 
go further and share a single ACL between two or more interfaces. While this 
somewhat reduces the amount of TCAM storage space needed, this is only 
possible if the interfaces have all their rules in common. 
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[04] Improvements in the storage capacity of TCAMs has not progressed as 
quickly as improvements in access rate. Due to space and power constraints 
associated with TCAMs and to the cost of TCAMs, it is preferable to keep the 
number and size of TCAMs on each line card to a minimum. This may be 
difficult in some situations, as routers often support hundreds of interfaces and 
hundreds of ACLs, requiring large TCAM storage space. Line interface cards 
which minimized the total number of rules being stored would allow fewer or 
smaller TCAMs to be used, thereby saving space and power. Alternatively, 
such cards could support more rules for the same space and power usage. 

Summary of the invention 

[05] In accordance with one aspect of the invention, a method is provided for 
determining rules to be applied to a data packet arriving at a first interface 
within a data packet router. At least two sets of rules are associated with the 
first interface, at least one of the sets of rules being a shared set of rules also 
associated with a second interface. A key of the data packet is determined. The 
at least two sets of rules are searched for at least one rule matching the key. 

[06] In accordance with another aspect of the invention, a method is provided 
for providing security in a data packet router at which a data packet arrives at a 
first interface. At least two sets of rules are associated with the first interface, at 
least one of the sets of rules being a shared set of rules also associated with a 
second interface, each rule in the at least two sets of rules having an associated 
action. A key of the data packet is determined. The at least two sets of rules are 
searched for at least one rule matching the key. If at least one rule matching the 
key is found, the action associated with each of the at least one rule is applied to 
the data packet. 

[07] A line card for implementing the methods of the invention is provided. 
The methods of the invention may also be stored as instructions on a computer- 
readable medium. 
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[08] The method and line interface card of the present invention allow rules 
to be shared between interfaces, while still allowing rules specific to individual 
interface cards to be used. By sharing rules between interfaces rather than just 
copying the rules, memory storage space (such as TCAM) is saved, thereby 
reducing the cost and power consumption of the line card. 

Brief description of the drawings 

[09] The features and advantages of the invention will become more apparent 
from the following detailed description of the preferred embodiment(s) with 
reference to the attached figures, wherein: 

FIG. 1 is a block diagram of a router according to one embodiment of the 
invention; 

FIG. 2 is a block diagram of an example association between interface 
cards and ACLs of FIG. 1; and 

FIG. 3 is a flowchart of a method by which the filter of FIG. 1 accesses 
rules within the ACLs according to one embodiment of the invention. 

[10] It will be noted that in the attached figures, like features bear similar 
labels. 

Detailed description of the embodiments 

[11] Referring to FIG. 1, a router 10 in accordance with a preferred 
embodiment of the invention is shown. The router 10 includes a line card 12. 
The line card 12 includes four interfaces 14, 16, 18, and 20, over which internet 
protocol (BP) packets arrive. The line card 12 also includes a Ternary Content 
Addressable Memory (TCAM) 24. The TCAM stores a plurality of Access 
Control Lists (ACLs). At least one ACL is a specific ACL 26 and at least one 
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ACL is a shared ACL 28. Each interface is associated with at least one ACL, as 
described below. 

[12] The line card 12 also includes a filter 34. For each IP packet, the filter 34 
extracts specified fields from the IP packet header to build a key, searches the 
ACLs associated with the interface over which the IP packet arrived for rules 
corresponding to the key derived from the IP packet, and performs an action 
associated with any such rules which are found. The filter 34 comprises 
instructions for locating and applying rules corresponding to received IP 
packets, and is preferably in the form of software running on a processor. More 
generally, the filter may contain instructions in the form of any combination of 
software or hardware within a processor, including hardware within an 
integrated circuit. The processor need not be a single device, but rather the 
instructions could be located in more than one device. If in the form of 
software, the instructions may be stored on a computer-readable medium. 

[13] Each specific ACL 26 is associated with a single interface, and each 
interface may be associated with a corresponding specific ACL. Each specific 
ACL includes rules particular to the interface to which it corresponds. These 
rules may include associated actions such as packet denial, packet acceptance, 
packet counting, and packet copying. Each shared ACL 28 is associated with at 
least two interfaces, and each interface is associated with at least one shared 
ACL. Each shared ACL 28 includes rules which some or all interfaces have in 
common.Ref erring to FIG. 2, and example association between interfaces and 
ACLs is shown. Each interface has one associated specific ACL 26. Two 
interfaces 14 and 16 are associated with one shared ACL 28a, and all four 
interfaces are associated with one shared ACL 28b. Each specific ACL 26 
includes rules which may be applied to IP packets arriving over the 
corresponding interface. The shared ACL 28a includes rules which may be 
applied to IP packets arriving over either of its two associated interfaces 14 and 
16. The shared ACL 28b includes rules which may be applied to EP packets 
arriving over any of the interfaces. 
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[14] Since most interfaces typically have more rules in common with at least 
one other interface than they have rules specific to the interface, a significant 
saving of TCAM storage can be realized, as can large scaling benefits. For 
example, consider the case of each interface having 75 rules in common with 
other interfaces, and having 25 rules specific to the interface, and assume there 
are 100 interfaces. If each interface had its own unique ACL, TCAM storage for 
100 lists of 100 rules each, or 10,000 rules, must be provided. By using a shared 
ACL, and by allowing rules for an interface to be stored in more than one ACL, 
TCAM storage must be provided for only one list of 75 rules and 100 lists of 25 
rules, or 2575 rules in total. 

[15] Returning to FIG. 1, the router 10 also includes a plurality of other line 
cards 36, the details of which are not shown in FIG. 1. Each of these other line 
cards 36 is similar to the line card 12, including a plurality of interfaces, a filter, 
a TCAM, and a plurality of ACLs, although the number of ACLs may differ 
between line cards. 

[16] Referring to FIG. 3, a method of retrieving and applying a rule for an IP 
packet according to one embodiment of the invention is shown. At step 50 an 
IP packet arrives on one of the interfaces 14, 16, 18, and 20. The IP packet has an 
IP header and a Transmission Control Protocol (TCP) header. At step 52 the 
filter 34 determines a key for the IP packet from information within the IP 
header and the TCP header of the IP packet. The key may be determined from 
such information as an IP source address, an IP destination address, an ICMP 
type /code, a protocol number, a TCP/UDP source port, and a TCP/UDP 
destination port. 

[17] The filter 34 includes an interface lookup table to determine which ACL 
or ACLs are to be searched. At step 54 the filter 34 searches within an ACL 
associated with the interface for a rule matching the key. If at step 56 a rule was 
found, then the filter applies an action associated with the rule to the IP packet 
at step 58. Examples of such actions include denial of the packet, acceptance the 
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packet, counting the packet, and copying the packet. There will typically be at 
least two ACLs associated with the interface, although there may be interfaces 
on the line card associated with only one ACL. If at step 56 a rule was not 
found, or if a rule was found then once the action associated with the rule has 
been applied at step 58, then at step 60 the filter 34 determines whether another 
ACL exists which is associated with the interface. If at step 60 the filter 34 
determines that another ACL associated with the interface exists, then at step 54 
the filter 34 searches within the ACL for a rule matching the key. If at step 60 
the filter 34 determines that another ACL associated with the interface does not 
exist, then the filter has finished searching for rules associated with the 
interface. 

[18] The filter 34 may search the ACLs associated with an interface in any 
order. However, in the preferred embodiment the filter maintains a priority 
order for each interface. This priority order may be configured by the user. 

[19] Not every shared rule need be stored in a shared ACL, and there may be 
duplication of rules on different specific ACLs. However, this will increase the 
amount of TCAM storage being used. In order to minimize the amount of 
TCAM storage required, every shared rule should be stored in a shared ACL. 

[20] The line card 12 may have a plurality of TCAMs, each containing at least 
one of the ACLs. 

[21] The invention has been described with respect to a line card having four 
interfaces, one TCAM, two specific ACLs, and four shared ACLs. More 
generally, the line card has a plurality of interfaces, and at least two ACLs, at 
least one of which is a shared ACL. A shared ACL may either contain rules that 
are shared amongst all interfaces, or contain rules that are shared between only 
a subset of interfaces. Interfaces may be associated with any number of shared 
ACLs and may or may not be associated with a specific ACL. However, at least 
one interface is associated with at least two ACLs, at least one of which is a 
shared ACL. In this way TCAM storage space can be saved. 
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[22] A practical limit on the number of ACLs associated with each interface is 
the ACL access time. The time taken to access the ACLs must be less than the 
time available to process a packet. For example, the OC-48 line rate requires a 
packet processing rate of approximately 6.1 Mpps (million packets per second). 
With current TCAM access rates on the order of 60 to 100 million lookups per 
second, the number of ACLs associated with each interface is limited to about 
eight. 

[23] The invention has been described with reference to IP packets, routers, 
and ACLs. More generally, the invention may be applied to any packet switch 
(such as an Ethernet switch, an ATM switch, or an IPv6 switch) which includes 
interface specific sets of rules containing rules to be applied to incoming 
packets. For example, the invention may be applied to more general rule-based 
security functions, such as rate-limiting and rate-policing, policy-based 
forwarding, priority assignment, and classification. The key for a received 
packet may be determined by the filter using any variation of packet header 
information. 

[24] The embodiments presented are exemplary only and persons skilled in 
the art would appreciate that variations to the above described embodiments 
may be made without departing from the spirit of the invention. The scope of 
the invention is solely defined by the appended claims. 
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